The last policy has to be a REG_DWORD value but it has to be in decimal format. When you create the key, you type the value (for example 60) and when you bubble in "decimal" on the registry entry it changes the value from 60 to 0000003c. Is there a special way to provision for this? Or am I just safe doing another spin control? Jonathan Finkbiner ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Wednesday, February 06, 2008 4:37 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Custom ADM Issues That one's easy. The TXTCONVERT keywords converts those settings to REG_SZ And, on the last policy, you're using an EDITTEXT Part, which automatically makes it REG_SZ. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Jonathan Finkbiner Sent: Wednesday, February 06, 2008 1:29 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Custom ADM Issues I went through a couple different iterations trying to troubleshoot. You are absolutely correct if you are saying I can consolidate this down into one single policy. For some reason these are being written to the registry as REG_SZ and not REG_DWORD values. Any ideas? Jonathan Finkbiner ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Delaney, Doug Sent: Wednesday, February 06, 2008 4:23 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Custom ADM Issues I also think you only need the first CATEGORY "NAC Options" and the last two END CATEGORYs Doug Delaney EDS - Integration Engineering-GM GM Desktop Engineering 1075 W. Entrance Dr., MS 2B, Cube 2130 Auburn Hills, MI 48326 Cell: 248-210-4973 Lab: 248-365-9187 Tel: 248-754-7917 Pg: 248-870-0306 pager Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx> Note: The information in this email is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited. ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Sent: Wednesday, February 06, 2008 3:03 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Custom ADM Issues You don't need the HKEY_LOCAL_MACHINE in the KEYNAME. Jamie Nelson | Systems Engineer | Systems Support, Information Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax 405.553.5687 | http://www.integrisok.com <http://www.integrisok.com/> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Jonathan Finkbiner Sent: Wednesday, February 06, 2008 1:55 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Custom ADM Issues Hey All, I thought I sent this on Monday, but apparently with this "email" thing you have to hit a send button to get it to work. I was looking for a little feedback on a custom adm template I've been working on. I am sure the problem is staring me right in the face but I am completely missing it. I want to generate and manage 3 keys on all computers across the domain. The three keys are the following: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global] "AuthMode"=dword:00000002 "SupplicantMode"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "GpNetworkStartTimeoutPolicyValue"=dword:0000003c (This should be a decimal value) I've created adm templates before, but it has been a while and so far all I can do is get the event log to spit angry messages at me. Here is a sample of the code I am using (I've left off the strings comments to keep this as brief as possible): CLASS MACHINE CATEGORY "System" CATEGORY "NAC Options" POLICY !!AMode EXPLAIN !!AMode_Exp KEYNAME "SOFTWARE\Microsoft\EAPOL\Parameters\General\Global" PART "Authentication Mode" NUMERIC VALUENAME "AuthMode" MIN 0 MAX 2 TXTCONVERT DEFAULT 2 SPIN 1 END PART END POLICY END CATEGORY CATEGORY "NAC Options" POLICY !!SMode EXPLAIN !!SMode_Exp KEYNAME "SOFTWARE\Microsoft\EAPOL\Parameters\General\Global" PART "Supplicant Mode" NUMERIC VALUENAME "SupplicantMode" MIN 1 MAX 3 TXTCONVERT DEFAULT 3 SPIN 1 END PART END POLICY END CATEGORY CATEGORY "NAC Options" POLICY !!Timeout EXPLAIN !!Timeout_Exp KEYNAME "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" PART "Timeout for NAC Negotiation" EDITTEXT REQUIRED VALUENAME "GpNetworkStartTimeoutPolicyValue" DEFAULT "0000003c" END PART END POLICY END CATEGORY END CATEGORY There are 2 seemingly non specific errors that I am getting that may help. These are both from the event log: "Windows cannot create registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. (The parameter is incorrect. )." "Windows cannot access the registry policy file, \\domain.com\SysVol\domain.com\Policies\{BA8CA221-6DC1-4631-B838-4135A66 DE872}\Machine\registry.pol. (The parameter is incorrect. )." As always, thanks in advance. Jonathan Finkbiner <mailto:jfinkbiner@xxxxxxx> Information Services Support Analyst Lifestyle Family Fitness <http://www.lff.com/> ________________________________ This e-mail may contain identifiable health information that is subject to protection under state and federal law. This information is intended to be for the use of the individual named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited and may be punishable by law. If you have received this electronic transmission in error, please notify us immediately by electronic mail (reply). ________________________________ This e-mail may contain identifiable health information that is subject to protection under state and federal law. This information is intended to be for the use of the individual named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited and may be punishable by law. If you have received this electronic transmission in error, please notify us immediately by electronic mail (reply).